Harsh J commented on YARN-3021:

Thanks again [~vinodkv] and [~yzhangal],

bq. bq. RM can simply inspect the incoming renewer specified in the token and 
skip renewing those tokens if the renewer doesn't match it's own address. This 
way, we don't need an explicit API in the submission context.
bq. I think this will work, and is a preferable solution to me. What do others 

I'd be willing to accept that approach, but for one small worry: Any app 
sending in a token with a bad renewer set could get through with such a change, 
whereas previously it'd be rejected outright. Not that it'd be harmful (as it 
is ignored), but it could still be seen as a behaviour change, no?

The current patch OTOH, is explicit in demanding a config/flag to be set for 
direct awareness of such a thing. That sounds more cleaner to me to do.

> YARN's delegation-token handling disallows certain trust setups to operate 
> properly over DistCp
> -----------------------------------------------------------------------------------------------
>                 Key: YARN-3021
>                 URL: https://issues.apache.org/jira/browse/YARN-3021
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.3.0
>            Reporter: Harsh J
>         Attachments: YARN-3021.001.patch, YARN-3021.002.patch, 
> YARN-3021.003.patch, YARN-3021.patch
> Consider this scenario of 3 realms: A, B and COMMON, where A trusts COMMON, 
> and B trusts COMMON (one way trusts both), and both A and B run HDFS + YARN 
> clusters.
> Now if one logs in with a COMMON credential, and runs a job on A's YARN that 
> needs to access B's HDFS (such as a DistCp), the operation fails in the RM, 
> as it attempts a renewDelegationToken(…) synchronously during application 
> submission (to validate the managed token before it adds it to a scheduler 
> for automatic renewal). The call obviously fails cause B realm will not trust 
> A's credentials (here, the RM's principal is the renewer).
> In the 1.x JobTracker the same call is present, but it is done asynchronously 
> and once the renewal attempt failed we simply ceased to schedule any further 
> attempts of renewals, rather than fail the job immediately.
> We should change the logic such that we attempt the renewal but go easy on 
> the failure and skip the scheduling alone, rather than bubble back an error 
> to the client, failing the app submission. This way the old behaviour is 
> retained.

This message was sent by Atlassian JIRA

Reply via email to